Inside the Scattered Lapsus$ Hunters Manifesto
The group revealed advanced operational security practices uncommon in financially motivated cybercrime. They claimed their 72-hour silence was intentional, designed to validate contingency plans and mislead investigators such as the FBI and Mandiant. By describing high-profile breaches as tactical diversions, the Scattered Lapsus$ Hunters demonstrated a strategic mindset more often associated with nation-state actors than typical ransomware groups. Their claim of “leaving Google in wonder” after penetrating Workspace and Gmail branches hints at deeper access than disclosed.
Infrastructure Targeting and Hidden Threats
Perhaps the most concerning revelation was their suggestion of compromised data from major companies, including Air France, American Airlines, Kering, and British Airways. Some breaches were confirmed in 2025, including attacks on Air France and KLM. The group questioned whether this stolen data is already being exploited, mocking US, UK, Australian, and French authorities for believing they have control of the situation. Their cynicism reflects frustration with ongoing international investigations and arrests linked to affiliated groups.
Law Enforcement Pressure and Arrests
Since April 2024, at least eight arrests tied to Scattered Spider and ShinyHunters operations have occurred, including four in France during June 2025. These arrests highlight growing international cybersecurity collaboration between the FBI, French authorities, and other agencies. Interestingly, the manifesto expressed regret for those arrested, suggesting they were sacrificial members while core operators manipulated evidence to mislead investigators. This points to the group’s counterintelligence capabilities and willingness to sacrifice affiliates to protect leadership.
Collaboration Between Cybercriminal Groups
The Scattered Lapsus$ Hunters represented a merger of infamous groups—Scattered Spider, Lapsus$, and ShinyHunters. Each contributed unique strengths: Scattered Spider – Social engineering expertise; Lapsus$ – Bold publicity-driven operations; ShinyHunters – Skilled in large-scale data theft. Their campaigns in 2025 showcased advanced tactics, including OAuth token abuse in Salesforce, AI-powered voice cloning for vishing, and custom tools for rapid data extraction. Google’s Threat Intelligence confirmed their use of specialized Salesforce exploitation tools.
Retirement or Reorganization?
The farewell statement listed multiple cybercrime groups—LAPSUS$, Trihash, IntelBroker, Scattered Spider, and others—claiming they were “going dark.” However, security experts suggest this is more likely a strategic reorganization under law enforcement pressure rather than genuine retirement. This aligns with the FBI and CISA’s July 2025 advisory that warned of Scattered Spider’s “serious and ongoing threat.” With coordinated international crackdowns disrupting cybercrime operations, the group may be retreating temporarily to rebrand and adapt.
Key Takeaways for Cybersecurity
Operational Evolution: Cybercriminal groups are adopting nation-state-level deception, counterintelligence, and long-term planning. Human-Centric Threats: Social engineering and identity exploitation remain key attack methods, reinforcing the need for employee awareness. Law Enforcement Success: Coordinated global efforts are proving effective in disrupting cybercrime networks. Infrastructure Risk: Third-party and supply chain vulnerabilities, especially OAuth token misuse, remain prime targets.
Conclusion
The end of Scattered Lapsus$ Hunters does not mark the end of their impact. Their techniques, tools, and strategies will likely inspire the next wave of cybercriminal operations. For businesses and cybersecurity professionals, this manifesto is both a warning and a lesson: modern threats are more sophisticated, but persistent international collaboration can force even the most dangerous groups to rethink their operations.